We were using self signed CA certificate to connect MQTT device with vernemq version ‘1.12.3’ and it works without any issue. But with the same certificate, connectivity is not getting established with latest vernemq version - 1.12.6.2
From the pcap we observe that connectivity is getting reset from server side after client responds Client Hello.
Are there any configuration changes to make connectivity allowed?
Awaiting for solution,
Thanks in Advance,
Shashikiran
Instead of 0.0.0.0 you might want to use a specific IP/interface.
Please verify what listeners you have running with vmq-admin listener show
Use a command like openssl _client -connect localhost:8883 to check for a client side opinion on the error. Maybe use a couple of variations of this command, showing the certs, or using -cipher ALL
Also, Verne 1.12.3 is compile with OTP 23.3.2 while Verne 1.12.6.2 is compiled with OTP 24.3.4.5. I’ll check what has possibly changed between those versions in the OTP TLS implementation.
Last but not least: Does VerneMQ log any exception for that connection attempt?
We have below configuration in values.yaml file of vernemq
listener.ssl.default.keyfile=/etc/ssl/vernemq/tls.key
listener.ssl.default.cafile=/etc/ssl/vernemq/ca.crt
listener.ssl.default.certfile=/etc/ssl/vernemq/tls.crt
And we don’t have this configuration ‘listener.ssl.default=0.0.0.0:8883’
shashis@N-20S5PF2WA3KC MINGW64 ~
$ openssl s_client -connect 10.75.217.198:31714
CONNECTED(0000016C)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
write:errno=10054
We used CA part from the certificate as a certificate ( cacert.pem) and tlskey section for key file (tlskey.pem)
Vernemq is listning on 31714 for MQTT over tls connection.
We are not using the standard ports rather we defined the different ones for secure and non-secure in the yaml file as defined below.
Below is the configuration in vernemq
mqtt:
enabled: true
port: 1883
# This is the port used by nodes to expose the service
nodePort: 31712
mqtts:
enabled: true
port: 8883
# This is the port used by nodes to expose the service
nodePort: 31714
This is a connection reset by the server, so it points to a server side problem, possibly with the reading or loading of the certificates.
I will do some verification of the Verne image to check whether there could be some TLS issues. Should you have additional findings in the mean time, please keep us posted here.
Are you using vernemq/vernemq:1.12.6.2 or vernemq/vernemq:1.12.6.2-alpine?
@Shashikirana There really seems to be an issue in the Docker 1.12.6.x packages; this does not seem related to configuration issues. Doing some more digging on this.
I ran the above command and it did not show any certificate in the output.
Below is the output.
[root@shashimqttqa-control-01 ~]# kubectl exec -it bash
error: you must specify at least one command for the container
[root@shashimqttqa-control-01 ~]# kubectl exec -it vernemq-0 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
vernemq@vernemq-0:~$ vernemq attach
Remote Shell: Use "Ctrl-G q" to quit.
q() or init:stop() will terminate the vernemq node.
Erlang/OTP 24 [erts-12.3.2.5] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [jit]
Eshell V12.3.2.5 (abort with ^G)
(VerneMQ@vernemq-0.vernemq-headless.default.svc.cluster.local)1> ranch:info({{10.75.217.198}, 8883})
(VerneMQ@vernemq-0.vernemq-headless.default.svc.cluster.local)1> ranch:info({{192.168.1.22}, 8883})
(VerneMQ@vernemq-0.vernemq-headless.default.svc.cluster.local)1>
User switch command
--> q
You need to ensure you see paths for ca.crt, tls.crt, and tls.key
An easy fix for the Github issue I linked is to use the full linked path for the ca.crt file, as below (adding the ..data). This fixes CA cert loading for the 1.12.6.2 images, so you will need to apply that too.